IP Address ***.**.***.** is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2013-07-02 18:00 GMT (+/- 30 minutes), approximately 4 hours ago.

This IP is infected (or NATting for a computer that is infected) with the cutwail spambot. In other words, it's participating in a botnet.

If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.
-----------

The problem is this: I have over 100 machines behind the NAT'd IP (MPLS Setup)...Is there any way to narrow down which machine(s) is/are the culprit(s)? From what I have read, the Cutwail Botnet connects outbound to various IPs, however I can not find a listing of them anywhere to be able to block them in my firewalls. I am also told that Cutwail uses random ports, so blocking 25 would not be sufficient.

The firewalls/routers that I have on each subnet (scattered across 15 physical locations in SE WI) are able to log to a syslog server, however I am not sure what I should be looking for in the syslog.

Anyone have any thoughts or ideas as to what I could possibly do to find the culprits on my network?

Yep, most trojans will connect out on random ports but they still send mail out to other servers on port 25. Block AND LOG port 25 for all client addresses and allow for your email server only.

Read your logs for outoing port 25 connections. If your dhcp lease time is short, increase your dhcp lease time. Otherwise whenever a lease runs out the logged ip could be invalid unless your firewall can to dns lookups against AD and log that. Even that could be wrong if DNS doesn't update (users/cellphones/devices not from your AD can be resolved incorrectly to and old reverse dns address). You have reverse dns right?

Antivirus is a must on client computers. Check your Spiceworks report on invalid, out of date, unlicensed, incorrect antivirus. Get those into compliance to up to date and correct company licensed copies. Examine Scan Error items, know what devices that are failing scans and examine them. Outside customer, contractor, and BOYD could also be a problem. Cell phones, tablets, music devices with WIFI can be a problem as well as they can be exploited. Secure your WIFI.

Upgrade that firewall to one that offers IPS/Intrusion Protection System. Some of these can detect and block connections that are known virus at the file stream level. I have a Sonicwall that does this, I've also reviewed several others that have this ability.

Last but not least, if you have dynamic DNS for your internet you could just be handed a soiled IP someone already trashed before you. Another possibility is the block list maintainers decided to add part or all of your ISP's netblock due to a spammer on your ISP's network.

Yep, most trojans will connect out on random ports but they still send mail out to other servers on port 25. Block AND LOG port 25 for all client addresses and allow for your email server only.

Read your logs for outoing port 25 connections. If your dhcp lease time is short, increase your dhcp lease time. Otherwise whenever a lease runs out the logged ip could be invalid unless your firewall can to dns lookups against AD and log that. Even that could be wrong if DNS doesn't update (users/cellphones/devices not from your AD can be resolved incorrectly to and old reverse dns address). You have reverse dns right?

Antivirus is a must on client computers. Check your Spiceworks report on invalid, out of date, unlicensed, incorrect antivirus. Get those into compliance to up to date and correct company licensed copies. Examine Scan Error items, know what devices that are failing scans and examine them. Outside customer, contractor, and BOYD could also be a problem. Cell phones, tablets, music devices with WIFI can be a problem as well as they can be exploited. Secure your WIFI.

Upgrade that firewall to one that offers IPS/Intrusion Protection System. Some of these can detect and block connections that are known virus at the file stream level. I have a Sonicwall that does this, I've also reviewed several others that have this ability.

Last but not least, if you have dynamic DNS for your internet you could just be handed a soiled IP someone already trashed before you. Another possibility is the block list maintainers decided to add part or all of your ISP's netblock due to a spammer on your ISP's network.

you can configure SpamAssassin to filter outbound as well if you don't want to pay for a commercial solution. Works quite well once the initial tweaking is done. Not sure you have experience with that... Else pay someone to do it for you (= hint ;-))